Firmware reversing of the Barracuda Web Application Firewall uncovered development artifacts that should have been removed on the production images. Once the encryption scheme was broken, many QA and development tools were discovered on the affected partitions. Some of these contained sensitive information such as authentication credentials used by internal developers. Firmware version 8.0.1.014 is affected.
41af7991ec90055d2e9576142c80137283f105fdc993d700215ae487f134beefFirmware reversing of the Barracuda Web Application Firewall uncovered debug features that should have been removed on the production images. Appending a debugging statement onto a grub configuration line leads to an early boot root shell. Firmware version 8.0.1.014 is affected.
e7f34bb9440ee19f081d01c8da99a0e8de3728fcc56a3f073d87f5c8a3cf2ad7The Postgres database on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 has default hardcoded credentials. While some security measures were taken to ensure that network connectivity to the Postgres database wouldn't be possible using IPv4, the same measures were not taken for IPv6.
ad169956f0f3396698d40c18a3a0e55793e890d9d218704c030183521609a602The management shell on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 allows the end user to edit the MOTD banner displayed during SSH logon. The editor provided for this is nano. This editor has a keyboard mapped function which lets the user import a file from the local file system into the editor. An attacker can abuse this to read arbitrary files within the allowed permissions.
2a881d9217c48b1606ec88d0bb0823e2e6d7359165db582cfbbd90943ae24f0eInsufficient input validation in the management interface can be leveraged in order to execute arbitrary commands. This can lead to (root) shell access to the underlying operating system on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1.
fe9867b691ca5367a9f8e75d21f16e8f3d6804f2ad561bedd0abd524a2546349An attacker can abuse functionality provided by a script which may be run with root privilege in order to elevate privilege on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1.
541cc742cf8744931b966ccfc14ec82005cd85e4a6e1bff7ce5f93c7ba245576Due to lax filesystem permissions, an attacker can take control of a hardcoded sudo path in order to execute commands as a privileged user on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1.
3f138413d3ee07b7fb98c0ec9430dcebbf62f40cd8ffb3fa592f0455512444f9WatchGuard XTMv version 11.12 Build 516911 suffers from a cross site request forgery vulnerability.
d76e552d2f0dc7711c0487e3374c5934f3930f35befe6e17dc13aafd7bf6ba4aTrendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from a remote root access vulnerability.
8207670b7b23f48f93f2a7d157326bcd7fa8384a29863a9824938cd6f5929a09Trendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from a privilege escalation vulnerability.
d466b761795d8d3086d31d2d398c036a70a01e03515283ad16085a4bf3fe529fTrendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from an arbitrary file write vulnerability that can lead to remote command execution.
26ab7b4f02561adad2e13b1c460f10e7406f2bed3b1a400caf9cd13b6a2cc8daSophos Web Appliance version 4.2.1.3 suffers from a remote code execution vulnerability.
63701a9eb15e305ac51389eaeadb3b1a48ad8b7a79c8e2be9b6f3fa830db7304Sophos Web Appliance version 4.2.1.3 suffers from a privilege escalation vulnerability. An unprivileged user can obtain an MD5 hash of the administrator password which can then be used to discover the plain-text password.
6c3a7db5cb2b8006c493d363dd8ec25ba892a528fb9c8d8faf875f49faee60aaCisco Firepower Threat Management Console suffers from a local file inclusion vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
3bb68d70578902fa49aa28ddac5c00c057ccf7040672b0e7d40d0048e61e4feeCisco Firepower Threat Management Console suffers from a remote command execution vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
478bf4dcc23d2ef96d26269234864bc75b3152960f1f077a183667abd3cd5cd2Cisco Firepower Threat Management Console suffers from a denial of service vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
93b912c298ea153c2c41d2e2762896ea94b468117fac32c32eaf77e232760a41Cisco Firepower Threat Management Console has hard-coded MySQL credentials in use. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
340707f4d5b3dac91cc48f0c12337c760677cc76dc14f6c4697885df69e314c1The Ubiquiti AirGateway, AirFiber, and mFi platforms feature remote administration via an authenticated web-based portal. Lack of CSRF protection in the Remote Administration Portal, and unsafe passing of user input to operating system commands executed with root privileges, can be abused in a way that enables remote command execution.
90378a8805d8e7a9d70f57b6789f59dbe576e315ddf496817ce14425c0361204The Arris DG1670A leverages a combination of technologies to deliver the product functionality. Combining several of these technologies in an unanticipated way will allow an attacker to execute arbitrary commands on the underlying operating system as the most privileged user.
f9f07867f80d6ed81875b0f0f3426862a601d2df3911aea7d48a11a170f6c39bThe Dell Pre-Boot Authentication Driver (PBADRV.sys) contains a vulnerability that can be leveraged to enable an attacker to write arbitrary code. The 'OutputAddress' from the IOCTL call is not validated before it attempts to write to memory. The content of the write is a four-byte hex value that is always greater than that of the kernel base address. Using multiple writes, it may be possible to overwrite the first entry of HalDispatchTable in a way that the entry would point to a user-land address. An attacker need only allocate shellcode at said address and call the ntdll!NtQueryIntervalProfile() function.
4c39d7663202b0e6a4d111b2cedc2d39282bb058581eda40719607e5ea6add5aSeagate GoFlex Satellite Mobile Wireless Storage devices contain a hardcoded backdoor account. An attacker could use this account to remotely tamper with the underlying operating system when Telnet is enabled.
5c61cfee09fbb37a6bafacad5f5ac3b5b476c894b553933c75614523958a3ff4Linksys EA6100 Wireless Router suffers from an authentication bypass vulnerability.
a8b20e7d7ed604facccbb2ae990af80afdd4329520a1b779fb7446ad55de4272A vulnerability within the ndvbs module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege. suffers from code execution, and local file inclusion vulnerabilities.
f56522b7ad8171646ac1c3eea8d0052f0c4e3db5b5c86c6dd3e9b9fae91e3b70A vulnerability within the xrvkp module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege.
77a97ac2af8e5d412b8fd4eb9a999feef3db9cd52adba3ce10f5fa61cc3aa2aeVulnerabilities within the srvkp module allows an attacker to inject memory they control into an arbitrary location they define or cause memory corruption. IOCTL request codes 0x96002400 and 0x96002404 have been demonstrated to trigger these vulnerabilities. These vulnerabilities can be used to obtain control of code flow in a privileged process and ultimately be used to escalate the privilege of an attacker. Version affected is 6.14.10.3930.
a2a0c9af7028c25243f0a56d26ca9915265d443f37f6c6fd0844ddb64354f2ce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed